6,003 research outputs found
Extending P4 in-band telemetry to user equipment for latency-and localization-aware autonomous networking with AI forecasting
In beyond-5G networks, detailed end-to-end monitoring of specific application traffic will be required along with the access-backhaul-cloud continuum to enable low latency service due to local edge steering. Current monitoring solutions are confined to specific network segments. In-band network telemetry (INT) technologies for software defined network (SDN) programmable data planes based on the P4 language are effective in the backhaul network segment, although limited to inter-switch latency; therefore, link latencies including wireless and optical segments are excluded from INT monitoring. Moreover, information such as user equipment (UE) geolocation would allow detailed mobility monitoring and improved cloud-edge steering policies. However, the synchronization between latency and location information, typically provided by different platforms, is hard to achieve with current monitoring systems. In this paper, P4-based INT is proposed to be thoroughly extended involving UE. The INT mechanism is designed to provide synchronized and accurate end-to-end latency and geolocation information, enabling decentralized steering policies, i.e., involving UE and selected switches, without SDN controller intervention. The proposal also includes an artificial-intelligence-assisted forecast system able to predict latency and geolocation in advance and trigger faster edge steering
Outsmarting Network Security with SDN Teleportation
Software-defined networking is considered a promising new paradigm, enabling
more reliable and formally verifiable communication networks. However, this
paper shows that the separation of the control plane from the data plane, which
lies at the heart of Software-Defined Networks (SDNs), introduces a new
vulnerability which we call \emph{teleportation}. An attacker (e.g., a
malicious switch in the data plane or a host connected to the network) can use
teleportation to transmit information via the control plane and bypass critical
network functions in the data plane (e.g., a firewall), and to violate security
policies as well as logical and even physical separations. This paper
characterizes the design space for teleportation attacks theoretically, and
then identifies four different teleportation techniques. We demonstrate and
discuss how these techniques can be exploited for different attacks (e.g.,
exfiltrating confidential data at high rates), and also initiate the discussion
of possible countermeasures. Generally, and given today's trend toward more
intent-based networking, we believe that our findings are relevant beyond the
use cases considered in this paper.Comment: Accepted in EuroSP'1
Know Your Enemy: Stealth Configuration-Information Gathering in SDN
Software Defined Networking (SDN) is a network architecture that aims at
providing high flexibility through the separation of the network logic from the
forwarding functions. The industry has already widely adopted SDN and
researchers thoroughly analyzed its vulnerabilities, proposing solutions to
improve its security. However, we believe important security aspects of SDN are
still left uninvestigated. In this paper, we raise the concern of the
possibility for an attacker to obtain knowledge about an SDN network. In
particular, we introduce a novel attack, named Know Your Enemy (KYE), by means
of which an attacker can gather vital information about the configuration of
the network. This information ranges from the configuration of security tools,
such as attack detection thresholds for network scanning, to general network
policies like QoS and network virtualization. Additionally, we show that an
attacker can perform a KYE attack in a stealthy fashion, i.e., without the risk
of being detected. We underline that the vulnerability exploited by the KYE
attack is proper of SDN and is not present in legacy networks. To address the
KYE attack, we also propose an active defense countermeasure based on network
flows obfuscation, which considerably increases the complexity for a successful
attack. Our solution offers provable security guarantees that can be tailored
to the needs of the specific network under consideratio
- …